[tor-project] Questions about Tor reproducibility

Hello friends,

Another project with which I and Aspiration do a lot of work is
Reproducible Builds (https://reproducible-builds.org/)

We are doing some communications and "amplification" on the Reproducible
Builds team, and I'm wondering who in Tor has reproducibility on their
plate, and might be good to talk to about Tor thinking on reproducibility?

We are trying to identify things we might visualize as well as how you
are thinking about RB these days?

Thanks in advance...

peace,
gunner

Hello friends,

Another project with which I and Aspiration do a lot of work is
Reproducible Builds (https://reproducible-builds.org/)

We are doing some communications and "amplification" on the Reproducible
Builds team, and I'm wondering who in Tor has reproducibility on their
plate, and might be good to talk to about Tor thinking on reproducibility?

You might want to go and talk to the Tor Browser devs, they build TB in
a reproducible way with tor-browser-build [1]. For (little-t) tor there
has been some work to make reproducible tarballs recently [2]

We are trying to identify things we might visualize as well as how you
are thinking about RB these days?

Thanks in advance...

peace,
gunner

[1] The Tor Project / Applications / tor-browser-build · GitLab
[2] release: Patches to make tarball reproducible (!473) · Merge requests · The Tor Project / Core / Tor · GitLab

Hi Gunner!

Hello friends,

Another project with which I and Aspiration do a lot of work is
Reproducible Builds (https://reproducible-builds.org/)

We are doing some communications and "amplification" on the Reproducible
Builds team, and I'm wondering who in Tor has reproducibility on their
plate, and might be good to talk to about Tor thinking on reproducibility?

We are trying to identify things we might visualize as well as how you
are thinking about RB these days?

We are still doing reproducible builds: for each Tor Browser release we
have two people from the team building and comparing the results of the
builds (and investigating and fixing the issue if it's not matching).
And this page has instructions for people who want to reproduce our
builds:

However checking that builds have been reproduced is still a manual
process. I think the next step would be to have more people building
Tor Browser, with some system to publish the results, and then having
the Tor Browser updater check before applying an update that it has been
built by multiple trusted builders. However since we are a small team
and already busy with many other things, this is not very high priority
at the moment.

Nicolas

According to Debian, Tor (little t) is reproducible too:

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/tor.html

(Hi gunner

a.

Hey Gunner!

Besides what boklm said; there have been some proposals for including
browser update hashes in the consensus for additional trust, as a form
of Binary Transparency type thing.
https://gitweb.torproject.org/torspec.git/tree/proposals/227-vote-on-package-fingerprints.txt

Firefox as built by Mozilla is also reproducible, but the scale
between Tor Browser and Firefox is quite large so it's a very
different kind of 'reproducible'.

-tom